Changes

==Short Overview==

==Short Overview==

DNSSEC is short for "DNS Security Extensions". Its main goal is to protect against [[Data Spoofing|data spoofing]] and corruption.  Initially, it was called only [[DNS]] (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional [[RFC]]s which provide supporting information.  

DNSSEC is short for "DNS Security Extensions". Its main goal is to protect against [[Data Spoofing|data spoofing]] and corruption.  Initially, it was called only [[DNS]] (Domain Name System) and did not include security extensions. The main DNSSEC extensions are specified by RFC4033, RFC4034, and RFC4035. There are also some additional [[RFC]]s which provide supporting information. <ref>[http://www.dnssec.net DNSSEC Official Website/]</ref>

Apart from the new DNS server and client concepts, DNSSEC introduces to DNS the following 4 new resource records: [[DNSKEY]], [[RRSIG]], [[NSEC]] and [[DS]].

Apart from the new DNS server and client concepts, DNSSEC introduces to DNS the following 4 new resource records: [[DNSKEY]], [[RRSIG]], [[NSEC]] and [[DS]].

The DNS was initially developed without any security extensions, thus increasing the chances to get out of synch and allow the spoofing of [[IP Addresses]] with the purpose of redirecting traffic to undesired websites. This is how DNSSEC appeared: as a need for adding protection and security to DNS so that the redirected traffic could be checked and directed towards the correct server.  

The DNS was initially developed without any security extensions, thus increasing the chances to get out of synch and allow the spoofing of [[IP Addresses]] with the purpose of redirecting traffic to undesired websites. This is how DNSSEC appeared: as a need for adding protection and security to DNS so that the redirected traffic could be checked and directed towards the correct server.  

The DNS ensures the correlation between the web address with [[IP Address]] and route traffic, but the DNSSEC ensures accuracy of the lookup date by adding a digital signature. In this way, the computer is connected to legitimate servers. If the DNSSEC authentication does not work (such as when the encryption keys do not match), due to the backwards-compatible system, the transaction will follow the DNS protocols.

The DNS ensures the correlation between the web address with [[IP Address]] and route traffic, but the DNSSEC ensures accuracy of the lookup date by adding a digital signature. In this way, the computer is connected to legitimate servers. If the DNSSEC authentication does not work (such as when the encryption keys do not match), due to the backwards-compatible system, the transaction will follow the DNS protocols.<ref>[http://www.educause.edu/Resources/7ThingsYouShouldKnowAboutDNSSE/195431 7 things about DNSSEC]</ref>

==Objectives==

==Objectives==

* Origin authority

* Origin authority

* Data integrity

* Data integrity

* Authenticated denial of existence

* Authenticated denial of existence <ref>[http://ripe.net/training/dnssec/material/dnssec.pdf DNSSEC Objectives]</ref>

The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of [[TSIG]]. More specifically, the [[TSIG]] is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, signing a single zone, building a trust chain and by means of [[key rollers]] or [[key exchange]].

The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of [[TSIG]]. More specifically, the [[TSIG]] is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, signing a single zone, building a trust chain and by means of [[key rollers]] or [[key exchange]].

* RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)

* RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)

* RFC 4641 DNSSEC Operational Practices

* RFC 4641 DNSSEC Operational Practices

* RFC 5155 DNSSEC Hashed Authenticated Denial of Existence

* RFC 5155 DNSSEC Hashed Authenticated Denial of Existence <ref>[http://www.dnssec.net/ DNSSEC Standards]</ref>

==References==

==References==

{{Reflist}}

{{Reflist}}

 

[[Category: Glossary]]

[[Category: Glossary]]